VPN Processing via Service Insertion Architecture

1. A method, comprising: sending a request from a network device in a network to a service broker device in a service insertion architecture (SIA) to join a first secure group that is identifiable by a group identification (ID) in the request, the SIA comprising the service broker device configured to handle control traffic for managing secure groups in the network, one or more network devices configured to exchange data traffic as members of the secure groups, and one or more key servers configured to generate policy and encryption keys for the secure groups; receiving, at the network device and from the service broker device, a list of key servers configured for servicing the first secure group, the list including an ordering of the key servers based on meta information associated with the key servers, wherein key servers are included in the list based on being authenticated by the service broker device; selecting, using the network device, a key server from the list based on the meta information; sending, using the network device, registration information to the selected key server to join the first secure group; receiving, at the network device and from the selected key server, policy and encryption keys for the first secure group responsive to the network device being authenticated by the selected key server and established as a group member of the first secure group based on the registration information; and establishing encrypted communication, by the network device and based on the policy and encryption keys received from the selected key server, with one or more group members of the first secure group.

2. The method of claim 1 , further comprising: communicating, using the network device acting as a first group member and based on the established encrypted communication, with a second group member via a data plane, wherein the data plane is configured to support encrypted versions of data packets.

3. The method of claim 2 , further comprising: configuring data plane communication between the first and the second group members to use Internet Protocol Security (IPSec).

4. The method of claim 3 , further comprising inserting the first group member into a virtual private network (VPN) that includes the second group member.

5. The method of claim 1 , wherein sending the request to the service broker device and receiving the list of key servers from the service broker device comprise using a control plane communication protocol associated with the SIA.

6. The method of claim 1 , wherein sending the registration information to the selected key server comprises using a group domain of interpretation (GDOI) communication protocol.

7. The method of claim 1 , wherein the key servers are configured for performing operations comprising: creating encryption keys for associated secure groups, managing security policies for the associated secure groups, managing lifetime of the encryption keys, periodically sending at least one of the encryption keys and the security policies to group members of the respective secure groups, and periodically changing the encryption keys for enhanced security purposes.

8. The method of claim 1 , wherein the key servers do not participate in encrypted communications that are established between group members of the associated secure groups.

9. The method of claim 1 , wherein the meta information is selected from the group consisting of load at the key servers, data localized to the network device sending the request, a number of group members serviceable by each key server, geographic location of the key servers and multicast capability of the key servers.

10. A method, comprising: sending registration information from a first key server in a network to a network device that is configured as a service broker to handle control traffic for managing secure groups in the network, wherein the first key server is configured to act as one of a plurality of service nodes in a service insertion architecture (SIA) that comprises the service broker, at least one service classifier, and the plurality of service nodes, the registration information including identification of a secure group for which the first key server is configured to act as a service node, the registration information further providing meta information based on which group members of the secure group select a key server from which to obtain policy and key information; announcing to the network, by the first key server, group membership and capabilities of the first key server associated with the secure group, the announcing including identifying the secure group for which the first key server is configured to act as a service node; in response to sending the registration information and announcing the group membership, receiving at the first key server a key server membership list from the service broker, wherein the key server membership list indicates one or more other key servers that are configured for servicing the secure group, the key server membership list received based on the key server being authenticated by the service broker; establishing, using the first key server, a cooperative relationship with a second key server indicated by the key server membership list; and exchanging, by the first key server with the second key server, information on the secure group based on the established cooperative relationship, the exchanging including synchronizing encryption states.

11. The method of claim 10 , wherein establishing the cooperative relationship comprises using an Internet key exchange (IKE).

12. The method of claim 10 , wherein sending the registration information and the receiving the key server membership list comprise using a control plane communication protocol of the SIA.

13. The method of claim 10 , wherein the meta information comprises a number of sustainable IKE connections that the first key server is capable of handling.

14. The method of claim 10 , wherein the meta information comprises a geographic location associated with the first key server.

15. The method of claim 10 , wherein the meta information comprises an indication of multicast capability of the first key server.

16. The method of claim 10 , wherein the meta information comprises an update of a status of the cooperative relationship from the first key server to each key server in the membership list.

17. The method of claim 10 , further comprising: receiving, at the first key server and from the second key server, information indicating that the second key server is inoperable or at limited capacity; and sending an announcement from the first key server to the service broker indicating that the second key server is inoperable or at limited capacity.

18. The method of claim 10 , wherein the first and second key servers are configured for performing operations comprising: creating encryption keys for associated secure groups, managing security policies for the associated secure groups, managing lifetime of the encryption keys, periodically sending at least one of the encryption keys and the security policies to group members of the respective secure groups, and periodically changing the encryption keys for enhanced security purposes.

19. The method of claim 10 , wherein the first and second key servers do not participate in encrypted communications that are established between group members of the associated secure groups.

20. A system comprising: a first network device configured to act as a service classifier in a service insertion architecture (SIA), the SIA comprising a second network device configured as a service broker to handle control traffic for managing secure groups in a network that includes a first secure group with the first network device a group member of the first secure group, the SIA further including one or more key servers configured as service nodes to generate policy and encryption keys for the secure groups; and a processor operable to process instructions that are configured to cause the processor to perform operations comprising: sending a request from the network device to the service broker to join the first secure group that is identifiable by a group ID in the request; receiving, at the network device and from the service broker device, a list of key servers configured for servicing the first secure group, the list including an ordering of the key servers based on meta information associated with the key servers, wherein key servers are included in the list based on being authenticated by the service broker device; selecting, using the network device, a key server from the list based on the meta information; sending, using the network device, registration information to the selected key server to join the first secure group; receiving, at the network device and from the selected key server, policy and encryption keys for the first secure group responsive to the network device being authenticated by the selected key server and established as a group member of the first secure group based on the registration information; and establishing encrypted communication, by the network device and based on the policy and encryption keys received from the selected key server, with one or more group members of the first secure group.